Field

What to capture

Why it matters

System name

Internal name and vendor name if applicable

Disambiguation across teams

Owner

Named individual (not role)

Single point of accountability

Purpose

What it does, in one sentence

Plain-English summary for non-technical reviewers

Data inputs

What data goes in (categories, sources, sensitivity)

GDPR scope determination

Model type

ML, generative AI, statistical model, rule-based, etc.

Risk profile and explainability characteristics

Deployment context

Internal use, customer-facing, embedded in product, etc.

Determines obligations and audience

Users

Who interacts with the system (employees, customers, end-users)

Transparency obligation triggers

Decisions influenced

What outcomes does the AI affect? (Hiring, credit, content, recommendations, etc.)

Risk classification under EU AI Act

Vendors involved

Foundation model providers, infrastructure, evaluation tools

Sub-processor mapping

Last review date

When was this system last assessed?

Audit defensibility

Change frequency

How often is the system updated, retrained, or modified?

Monitoring cadence requirements

Current risk classification

Prohibited / High-Risk / Limited-Risk / Minimal-Risk

Maps obligations